The Power of Convergence

Jun 1, 2004 12:00 PM, By Jacqueline Emigh

Are physical security and information security (IS) still separate islands? Lately, experts are seeing signs that some organizations are starting to make a connection between these two traditionally distinct worlds. Why the sudden convergence? Cost reductions are one big factor. Another is increased teamwork around federal regulatory compliance.

“You can notice that changes are happening if you look at recent ads for chief security officers (CSOs). These days, the job of CSO is about much more than just making sure the (company) president's parking space is open and the swipe cards don't break,” says Michael R. Higgins, managing director of technology risk management for Tekmark Global Solutions. “A lot of companies are looking for someone who's experienced not just in physical security, but in IS, too.”

Contents of industry conferences also spell change. “The lightbulb has gone on. People are recognizing that if someone can get physical access to a device, information security can become pretty much worthless,” Higgins says. “IS conferences now have entire tracks addressing physical security. IS people are asking questions like, ‘The computer center is in the middle of the floor. How can it be protected from physical access? And what about all those wiring closets?’”

Cost savings are another major driver for change. “Smaller companies have tended to combine their security organizations earlier, since they are working with smaller budgets. Now, though, larger organizations are also realizing that if you have two (security) stovepipes, you are paying for everything twice,” Higgins says.

Another catalyst is the atmosphere of heightened security that has emerged over the past few years around Homeland security and regulatory/legal compliance. The Sarbanes-Oxley Act, for example, is a large and complex body of regulations establishing new “corporate responsibility” rules and procedures for publicly traded companies. It also institutes criminal penalties for corporate finance-related crimes and sets up a new oversight mechanism for the public accounting field.

As part of Sarbanes-Oxley, publicly traded companies are mandated by law to build internal controls over both access and computer operations, says Paul Zonneweld, a partner at PricewaterhouseCoopers. “Access control is something that exists really in layers, and it generally starts with the physical layer,” he says. “If companies cannot show that they have adequate controls in place, they can end up with big problems.”

In response to these industry trends, some corporations are forming multidisciplinary risk management teams, bringing together professionals whose expertise runs the gamut from physical and information security to human relations, media relations and the corporate law team.

“Risk management means much more today than it used to mean,” says Jenelle Hung, an analyst at The Radicati Group. “These days, it's about everything from (legal) internal liability issues to physical security and spam control.”

“In assessing risk, companies need to figure out the possible impact (of a security incident), and whether the (level of) risk is acceptable. If the risk is not acceptable, they need to impose controls. To the extent that there is a gap between physical and computer security, they need to bridge that gap,” Zonneweld says.

Passed after the Enron/Arthur Andersen scandal, the Sarbanes-Oxley Act contains a number of provisions about retaining records. “Records can be in electronic form, or they can be physical documents. So a company might need to build in controls to prevent document shredding, for instance,” Zonneweld adds.

One provision in Sarbanes-Oxley threatens fines and/or imprisonment against anyone who “knowingly alters, destroys, mutilates, conceals, covers up, falsifies or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct or influence” a government investigation or proceeding.

Also under the law, companies are compelled to retain audit and review documents, for example.

Document retention is also being spurred by rising pressures from the court system around “legal discovery.” In legal discovery, two parties in a lawsuit can ask each other to produce documentary evidence. In one lawsuit, Long Island Diagnostic Imaging vs. Stony Brook Diagnostic Associates, the court dismissed an entire cross-complaint due to improper deletion of computer evidence on a network server.

On the IT side, companies are dealing with needs for electronic document retention through a variety of software tools, some of them outside the traditional “security” realm.

Kroll Ontrack Inc.'s PowerControl software, for example, is designed to let companies search and restore backed up data. Organizations can also quickly retrieve information, allowing quick response to government requests, says Jim Reinert, Kroll Ontrack's director of software and services.

In certain situations, organizations now choose between physical and IS approaches to solving the same problem, Reinert says. “Until quite recently, surprising numbers of companies were failing to erase the hard drives of PCs that had reached the end of their life cycles. They would simply throw the PC in the trash, or return it to the leasing agent, with all their data still on it,” he says.

“Special software is available for erasing the disks, but there are some physical options, too,” Reinert continues. “You can physically grind up the hard drive in a special grinding machine — or, you can even literally take a sledgehammer to it.”

Meanwhile, organizations are also dealing with new pressures from laws such as the Gramm-Leach-Biley Act (GLBA) and, in the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA).

GLBA removes restrictions on mergers between banks, brokerages and insurance firms, while at the same time instituting privacy policies to safeguard customers' personal financial data. “In the area of GLBA compliance, we are now seeing large banks doing security audits with partner companies that are electronically connected to them,” Higgins says.

In conducting security audits around regulatory requirements, some of Tekmark's risk management customers now ask for physical security reviews to be included in the process.

One advantage of collaborating on risk management teams is that physical security folks and other specialists can start to gain more leverage with IT, experts say. “Traditionally, there's been a huge problem at some companies with getting approval from IT, because it has not always liked change,” Hung says.

Meanwhile, information security has typically reported to the CTO (chief technology officer), as opposed to the security department, Higgins adds. “But now, that incestuous relationship is starting to go away,” he contends.

Still, though, the pace of progress is uneven. “Lots of vendors have not caught up yet to the convergence between IS and physical security,” Higgins continues.

At the same time, industries such as finance and healthcare tend to be far ahead of other fields at making the connection. Further, even within the most pioneering industries, companies vary greatly in terms of how quickly they are moving along.

Some organizations, for example, are taking regulatory compliance strongly to heart, whereas others simply want to “fill in the boxes,” says Carl Herberger, information security specialist, SunGard Availability Services. “When companies like that say, ‘We need a security policy,’ they are thinking of ‘security policy’ merely as something they need to get out of the way.”

Experts anticipate, however, that the distance will keep narrowing as a byproduct of more regulatory enforcement. “For the past three or four years, a lot of companies have not been spending much more than they had to on regulatory compliance. Now, however, government is expecting companies to channel some of their money back into their businesses, including security,” Higgins says.

“Regulation is nothing new, in and of itself. Yet in the past, some companies have stalled or delayed on compliance. Under Sarbanes-Oxley, the fines for noncompliance can be so high that companies are going to cooperate fully,” Reinert predicts.

FOR THE RECORD

About the companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Kroll Ontrack Inc.	35
PricewaterhouseCoopers	36
The Radicati Group	37
SunGard Availability Services	38
Tekmark Global Solutions	39

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue